OpenVPN 2.6.6 on Fedora 39: How to fix your connectivity to legacy OpenVPN servers!

Last week, Red Hat published their latest and greatest Fedora version, number 39. That means Fedora 38 will still be supported for about half a year. Fedora 37 even has nog more than a few more weeks of support left. So over the weekend, I updated my laptop. First I backupped my whole system to a USB stick and then updated using the well-known formula:

sudo dnf-y update && \
sudo dnf -y install dnf-plugin-system-upgrade && \
sudo dnf system-upgrade download –releasever=39 && \
sudo dnf system-upgrade reboot

Updating was a pretty smooth operation. But today, when I wanted to login to my servers in the datacenter, I found that OpenVPN could not connect anymore. While the configuration file hadn't changed even one letter. Time to investigate.

Problem 1: Ciphers

First, I found this message in the logs:

DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305).
OpenVPN ignores --cipher for cipher negotiations.

The --data-ciphers option is something new to OpenVPN 2.5 and in version 2.6 it defaults to AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305. Because AES-256-CBC is not in there, OpenVPN cannot setup encryption anymore. To fix this, I added:

--data-ciphers AES-256-CBC:AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305

Problem 2: MTU

Then I found a message:

WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1590', remote='link-mtu 1622'
Option inconsistency warnings triggering disconnect due to --opt-verify
SENT CONTROL [mekker]: 'AUTH_FAILED' (status=1)

I've seen both warning-messages combined, but also each separate, with dozens of different numbers. And always they were followed by a "opt-verify" and a AUTH_FAILED message. For me, the big solution was to fiddle a bit with the --tun-mtu option. Please note that the signature of this option used to be:

--tun-mtu n = Take the TUN device MTU to be n and derive the link MTU from it (default=1500).

But is now:

--tun-mtu args = tun-mtu [tun-mtu] [occ-mtu]

In my specific situation, I got all connections working using the following settings:

Server side VersionServer side SettingsClient side VersionClient side Settings
OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10

Running on a Raspbian 10.2 device
no mtu settings, just defaultsOpenVPN 2.6.6 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10
--tun-mtu 1500 1532
OpenVPN 2.5.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 16 2023
library versions: OpenSSL 3.0.7 1 Nov 2022, LZO 2.10

Running on AlmaLinux 9.2
no mtu settings, just defaultsOpenVPN 2.6.6 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10
--tun-mtu 1500 1532
OpenVPN 2.4.9 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020
library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03

Running on CentOS 6.10
no mtu settings, just defaultsOpenVPN 2.6.6 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10
--tun-mtu 1500 1500
OpenVPN 2.4.7 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 22 2022
library versions: OpenSSL 1.0.2u 20 Dec 2019, LZO 2.08

Running on a Ubiquiti EdgeRouter 12P
no mtu settings, just defaultsOpenVPN 2.6.6 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10
[yet to be tested]

© GeekLabInfo OpenVPN 2.6.6 on Fedora 39: How to fix your connectivity to legacy OpenVPN servers! is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

X11 over SSH

CentOS 5's and Fedora 15's base installations are pretty good prepared to use X11 over SSH. You just need to install one more package on the server you're connecting to: xorg-x11-xauth. According to yum info, the purpose of this package is:
xauth is used to edit and display the authorization information used in connecting to an X server.
This editting probably means synchronising X11 authority cookies between SSH peers.

Installing is done using:
yum install xorg-x11-xauth

Then ssh into the box using:
ssh -X [servername]© GeekLabInfo
X11 over SSH is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

USB Video DVD Maker for Linux

Today I borrowed a USB video device, just to see if I can get it working on Linux. And I did! The device's package shows that is supports PAL (720x576@25fps) and NTSC (720x480 @ 30fps), but not much more.

According to lsusb, the device is built by eMPIA Technology, Inc and it has id eb1a:2861. Because I have another webcam attached, the device is connected to /dev/video1 is a character device with major 81 and minor 1. In the /sys filesystem, there's information on the device. I can find the right node using the next command:

cd /sys/dev/char/81:1

This is a symlink to (in my case) /sys/devices/pci0000:00/0000:00:1d.7/usb2/2-5/2-5:1.0/video4linux/video1. In this directory, I find some more useful information. The file name tells me the device is actually a em28xx-based device.

The device has 2 inputs: a serie of RCA connectors with a composite signal and a SVideo connector. This is represented by showing two "sub-devices". The composite signal is /dev/video1, while the SVideo connector is /dev/vbi0.

To display the screen of my Sony* HDR-SR11 camera, I use the command:

mplayer -cache 128 -tv driver=v4l2:device=/dev/video1:input=1:width=720:height=576:outfmt=i420 tv://

* Yes, a Sony. And I'm really sorry. I bought it several years ago. I'm boycotting Sony nowadays.© GeekLabInfo
USB Video DVD Maker for Linux is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Google Talk on Fedora 13

Since a few days, Google has this great feature that allows you to dial land lines from your gmail account. Unfortunately, they are only shipping a Linux client for Debian/Ubuntu. I'm using a custom repository with a lot of custom-build RPMs, and I really don't feel like switching away from RedHat-style for servers and clients.

How to use the .deb file on Fedora?

  • First, go to gmail and click on the "call" icon in the left sidebar
  • Download the .deb file offered. I use x86_64, so I get the file google-talkplugin_current_amd64.deb
  • Start a shell
  • mv [filename] /tmp
  • mkdir /tmp/googletalk
  • cd /tmp/googletalk
  • now, extract the file: ar vx ../google-talkplugin_current_amd64.deb
  • you get 3 files, control.tar.gz data.tar.gz and debian-binary
  • extract data.tar.gz: tar zxvf data.tar.gz
  • I don't want the google crontab, which of course is debian-based, so I only copy relevant files: cp -R opt usr /

Now, on a Debian based system, we would be ready. But on Fedora, some lib versions are incorrent. Link to the correct files:

  • cd /lib
  • ln -s libssl.so.1.0.0a libssl.so.0.9.8
  • ln -s libcrypto.so.1.0.0a libcrypto.so.0.9.8

Restart Firefox. Now you're done.© GeekLabInfo
Google Talk on Fedora 13 is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

MS Core fonts on Fedora 13

Due to copyright issues, Fedora cannot include the "core" fonts Arial, Times, Verdana etc. Instead, Fedora offers an alternative under the name "Liberation fonts". Well, great. Except that 99,9% of all documents received use these core fonts, and I'm not planning to do a find and replace with each and every document I open.

So, I'm sorry to say this: I think trying to replace the core fonts is simply stupid.

How to build your own font package

wget https://www.geeklab.info/wp-content/uploads/2010/06/msttcore-fonts-2.0-3.spec
yum install rpm-build cabextract
rpmbuild -ba msttcore-fonts-2.0-3.spec

Now install your package

sudo rpm -i ~/rpmbuild/RPMS/noarch/msttcore-fonts-2.0-3.noarch.rpm© GeekLabInfo
MS Core fonts on Fedora 13 is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...